Troubleshooting SAML SSO

You can enable the debug mode by selecting the Debug check box on
the Single Sign-On > SAML page. You should disable this setting in production.

An attribute is missing or was mistyped

In the following sample error message, the name of the attribute configured for the user email
address was named email, but that doesn't exist in the saml message.
In this example, MAIL is the name of the correct attribute.

com.jivesoftware.community.aaa.sso.SSOAuthenticationException: User did not have the required attributes send from the identity provider. Missing attribute: email. Given attributes: [MAIL, title, companyname, FIRSTNAME, LASTNAME]

"Missing attribute" field in an error message is blank

If Jive is trying to sync a single name as Firstname and
Lastname, you will see a message like this:

com.jivesoftware.community.aaa.sso.SSOAuthenticationException: User did not have the required attributes send from the identity provider. Missing attribute: .

To work around this problem, set the system property saml.nameField
to the same attribute the first name is populated from.

Authentication works on some nodes, not others

You may discover that the certificates in the metadata for each node are different:
Jive metadata won't be the same on each node and so authentication succeeds on some
nodes and fail on others. To verify that the same key is being used on each node, go
directly to the /saml/metadata path for each node.

This problem
occurs when the Storage Provider File system caching is enabled. To disable it, go to System > Settings > Storage Provider, click Edit, and then select
No under Cache Enabled.

"Responder" message

A status message in the following format indicates a problem with your IdP configuration.

If the IdP clock is ahead of the Jive clock by even a
second, the notBefore check fails and you get the following message:

Assertion is not yet valid, invalidated by condition notBefore ?

This problem can be caused by clock drift on either end, but you can also try
addressing it by adjusting the Response Skew setting in the General SSO settings. For
more information, see Response Skew in Configuring SSO with SAML.

username doesn't exist in attribute

If the attribute with the username does not exist, you can see the following message:

ERROR org.springframework.security.saml.SAMLProcessingFilter - There was an error during SAML authentication
java.lang.IllegalArgumentException: [Assertion failed] - this argument is required; it must not be null

The
attribute may be located in the Subject NameID instead, in which case
you should make sure the Override Subject NameID for
Username checkbox is cleared on the General
tab of your SAML settings. Otherwise, you may need to add the
username attribute to the SAML message.